Amazon Web Services is the world’s biggest cloud provider. As a result, its security directly influences that of countless websites and online services. And those concerns aren’t just theoretical; dangerous lapses happen all the time. Customers store all sorts of datasets and raw information in AWS repositories, which then become part of their own infrastructure. If a customer makes a mistake in how they set something up, or they don’t understand the full implications of an AWS feature, it can expose them to the risk of unauthorized access and data exfiltration.
AWS account misconfigurations have exposed everything from voter registrations, to FedEx customer data, insurance information, and even the systems of the massive accounting and consulting firm Accenture.
Two new tools might help alleviate the problem, though. Known as Zelkova and Tiros, the offerings from the AWS Automated Reasoning Group analyze crucial AWS security configurations, evaluating access control schemes and mapping possible paths to the open internet from an S3 bucket. They also offer automated feedback on the practical ramifications of different setups, helping administrators avoid dangerous errors.
“What we’re hoping to achieve is to get a kind of provable security out of our systems,” said Greg Frascadore, security architect at the hedge fund Bridgewater Associates, which has been testing Zelkova and Tiros at an AWS conference in New York City Tuesday. “By provable security I don’t mean that what we get out is infallible security. Instead what we’re trying to get is a formal analysis, and a methodical way that we have gone about verifying that the security controls we put into place are working the way we think they’re working. Our security objective here is to stop data exfiltration from AWS.”
The tools provide a one-two punch. Tiros maps the connections between network mechanisms, and is particularly useful for checking for unexpected access from the open internet. Zelkova, meanwhile, can create benchmarks for comparison between different S3 buckets or other AWS components, helping developers understand how permissive their setups are compared to their existing infrastructure, or a model S3 bucket. Zelkova also uses automated logic to play configurations out to their possible extremes. Together, the two tools help spot mistakes before they go live.
“A very important thing about these tools is that you can verify things during the design stage,” Frascadore says. “One of the things that we would really like is be able to do is security verification before we make a change to the actual AWS infrastructure, so before we put a vulnerability into the account.”
Frascadore and Bridgewater technology and security lead Tim Kropp note that Tiros and Zelkova are still bare bones internal tools, with complicated and unfriendly user interfaces. Bridgewater worked with AWS on testing them and invested its own resources in exchange for access to the tools, but Frascadore and Kropp are now helping generate interest to get AWS to do the push to refine them into consumer-grade products. An AWS spokesperson said the company couldn’t comment on whether it would deploy Tiros and Zelkova more broadly, but noted that Zelkova is already used in the S3 dashboard for automatic checks for things like which buckets can be publicly accessed.
The fact that AWS is talking about the tools more openly is an indicator that the organization is seriously considering the best ways to deploy them. And the idea of distributing them more broadly ties in to AWS vice president of security engineering and chief information officer Stephen Schmidt’s larger vision for fundamentally changing how humans and data interact at AWS. Schmidt told WIRED last week that he has set a security goal for every vice president in the organization to “radically restrict and monitor human access to data.”
The use of “radically” is not an understatement. “The number that I used was 80 percent reduction in human access to data,” Schmidt says. “And the reaction I got from people was ‘you’re insane, this is impossible.’ And that is exactly why I chose that number, because it is impossible to achieve without automation. The goal is to guide people to build tools for things that they would otherwise do by hand.”
Tiros and Zelkova are the types of utilities that fit into this push, but Schmidt wants AWS to keep building out mechanisms that protect customers in all different ways. “Human access to data is just something that we need to have to do business, everybody does,” Schmidt says. But that doesn’t mean all access is always appropriate. “Often organizations give their administrators excessive access to data because it’s the easiest thing to do, it’s the most convenient thing to do. And I feel really, really strongly that we need to as an industry be draconian about restricting that access when it’s not absolutely necessary. If you keep the humans away from the data, you remove whole classes of attack.”
The process fits into a longterm AWS initiative to lock itself out of access to customers infrastructure and data. That complicates things for AWS in terms of being able to provide customer support and reliability management, but Schmidt is adamant that it’s the only way to reduce risk. And he wants to push even farther on limiting access. So how’s the 80 percent reduction going so far within the organization?
“There are some teams that will absolutely hit it,” Schmidt says. “There are some teams that are making great progress but won’t hit everything this year. Realistically speaking, it was an audacious ask. The good news is that everybody’s on board now, everybody’s invested. Even the naysayers realized after awhile that ‘this is actually good for me.’”
More Great WIRED Stories
- A landmark legal shift opens Pandora’s box for DIY guns
- In the age of despair, find comfort on the “slow web”
- How to see everything your apps are allowed to do
- An astronomer explains black holes at 5 levels of difficulty
- Could a text-based dating app change swipe culture?
- Looking for more? Sign up for our daily newsletter and never miss our latest and greatest stories